FDR is equipped with several key alerting mechanisms including real-time alerts generated by 0day activity and retrospective alerts which identify 0day activity already present within a network environment.
FDR operates against web, email, and network traffic. Email traffic deserves special attention, however, as it is the primary conduit where end-user interaction occurs. To that end, a key part of the FDR solution is email banners. Driven by thousands of signatures, thousands of heuristics, hundreds of ML-models, and dozens of technologies, banners provide simple, color-coded email risk indicators to users. Currently FDR supports roughly two dozen banners ranging from red (danger) to yellow (caution) - each tunable from terse to verbose. Banners are generated from InQuest's threat scoring algorithm and take into consideration customer-specific detection logic, threat intelligence, and integrations. Additionally, email banners help provide end-user awareness and training - effectively deploying a security engineer over the shoulder of each user.
FDR has several blocking mechanisms. Emails and attachments can be blocked from delivery. Malicious web traffic can be blocked via ICAP cache/proxy. Network traffic can be blocked by invoking IPs and domains (via FDR GUI) to a third party IPS. As an example, a security analyst could see something he doesn't like in the FDR GUI, then instantly block an IP address (via FDR’s TippingPoint integration) for a prescribed period of time.